Share this story

In 2013, Yahoo announced that it would begin scanning its users' e-mail for targeted advertising purposes—just as Google does. As is par for the course, class-action lawsuits were filed. The Silicon Valley media giant, according to one of the lawsuits, was violating the "personal liberties" of non-Yahoo Mail users. That's because non-Yahoo Mail users, who have sent mail to Yahoo mail users, were having their e-mail scanned without their permission.

"Plaintiff and the Class are among the multitude of U.S. residents who have sent electronic communications or emails to a Yahoo Mail user or users, and whose personal liberties have been, and continue to be, intruded upon when these private communications are read or, in the alternative, eavesdropped upon by Yahoo," the lawsuit read. (PDF) The suit said that Yahoo's new scanning policies adopted under Yahoo chief Marissa Mayer violated federal and state privacy laws and that Yahoo's e-mail scanning regime "seriously threatens the free exercise of personal liberties, and is of the type of behavior that the U.S. Congress and the California Legislature has declared should not be tolerated in a free and civilized society."

The suit, which was one of six that were co-mingled as a single class action, demanded that a judge halt the scanning and award each victim "$5,000 or three times actual damages" in addition to "reasonable attorneys' fees and costs."

Fast forward three years. The case is now closed. Days ago, a Silicon Valley federal judge signed off (PDF) on a settlement (PDF). The lawyers won, they were awarded $4 million (£3 million), and the public got nothing. What's more, the settlement allows Yahoo to continue to scan e-mails without non-Yahoo users' consent. (Yahoo Mail customers have granted consent to the scanning as a condition of using the service.) The major change the lawsuit produced was that Yahoo is agreeing to scan the e-mail while it's at rest on its servers instead of while the mail is in transit. This, according to the settlement, satisfies the California Invasion of Privacy Act (CIPA) claims. The deal spells out that Yahoo only has to do this for three years, but Yahoo said it would continue with the new scanning protocol after the three years expire.

Let the e-mail scanning continue

In September 2015, plaintiffs' lawyers argued that CIPA was breached even when the e-mail was being scanned at rest. "The plain language of the statute, however, prohibits the interception of communications both while they are in transit and while they are being received" (PDF). The judge clearly didn't agree.

The agreement, however, does require Yahoo to be a tad more transparent. It requires Yahoo to beef up its "Yahoo Privacy Center Webpage" to clearly state that "Yahoo analyzes and stores all communications content, including email content from incoming and outgoing mail." And on the "Yahoo Mail Webpage," the heading "Personally Relevant Experiences" must be replaced with the heading "Information Collection and Use Practices."

But reading US District Judge Lucy Koh's settlement approval order, you'd be left thinking the public was served. Koh, a well-known Silicon Valley federal judge whom President Barack Obama has nominated to the 9th US Circuit Court of Appeals, wrote that "Class Counsel achieved a result that was beneficial to the Class. Yahoo now no longer scans or analyzes Yahoo Mail content that is in transit in violation of CIPA," Koh wrote.

And in explaining why she signed the deal, Koh's order highlights how the case has mutated over the year, from wanting the interception blocked outright to demanding consent, and:

As to the strength of Plaintiffs’ case, Plaintiffs have achieved their stated goal in this litigation: Yahoo will no longer intercept and analyze emails in transit for advertising purposes. Instead, for the next three years, Yahoo may only analyze incoming email after the email reaches a Yahoo Mail users’ inbox, and Yahoo may only analyze outgoing email after the email is in a Yahoo Mail users’ sent email folder. These changes, according to Yahoo’s Senior Manager of Engineering, will require "a considerable investment of time, money, and resources."

The four named plaintiffs in the case will each receive $5,000.

In September, the plaintiffs' lawyers were demanding that Judge Koh issue a declaration that Yahoo was violating CIPA and the federal Stored Communications Act, which generally prohibits spying on stored communications on servers without consent.

The law is the law

"A declaration as to the lawfulness of Yahoo’s conduct under these circumstances will be based on actual facts and provide a conclusive finding that will guide not only Yahoo’s future conduct but that of other similar companies," one of the lead plaintiffs' lawyers, Daniel Girard, wrote Koh. The judge, whose appellate court nomination is pending, did not issue such a declaration.

In a telephone interview, Girard said Yahoo gets to continue to scan e-mail. But Yahoo will do it lawfully—when the e-mail communications are at rest on Yahoo servers—instead of unlawfully, while the e-mails are in transit.

"We just enforced the law that was available to us," Girard said. "Unless you got some other law, that's all you can do."

At this juncture. We might be wondering about Google, the pioneer of e-mail scanning. Google is being sued under a similar class action representing people with non-Gmail accounts who have had their messages scanned without consent. That case is pending before Judge Koh.

Share this story

David Kravets
The senior editor for Ars Technica. Founder of TYDN fake news site. Technologist. Political scientist. Humorist. Dad of two boys. Been doing journalism for so long I remember manual typewriters with real paper. Emaildavid.kravets@arstechnica.com//Twitter@dmkravets